LetEncrypt is the cool new kid on the block for this. I had a look
at it a while ago and chose not to jump on the bandwagon back then
— you had to run their script on your server and certificates were
only valid for a few months. But with the impending loss of my
StartCom certificates it was time to have another look.

It turns out that in the meantime there is a plethora of options to
get certificates from them. Many of these don't need to run on the
remote server and don't even require root privileges. After some
cursory look at the available options I semi-randomly picked
getssl.

cd Private/Certs/
mkdir LetsEncrypt
cd LetsEncrypt
# Generate the LetsEncrypt user key:
openssl genrsa 4096 > LetsEncrypt/user.key
openssl rsa -in LetsEncrypt/user.key -pubout > LetsEncrypt/user.pub
chmod 400 LetsEncrypt/*
getssl -c hdurer.net
# Edit ~/.getssl/getssl.cfg for common options and ~/.getssl/hdurer.net/getssl.cfg for the one specific to the hdurer.net certificate# If you have more domain you can just say
getssl -c some.other-domain.com
# and change the relevant bits in the getssl.cfg in the new subdirectory.

The tool allows you to use DNS as a verification mechanism which is
useful as it allows me to verify the domain(s) without having to
place files onto a webserver running under that domain (and in
fact, issue separate certificates for domains that don't have a
webserver serving content). My DNS hoster has an API to manage DNS
entries and there is a Python library to access that API, so all I
needed was a little helper script (see below). The only issue I
found is that I need to use almost excessive waiting delays to
ensure that LetsEncrypt will reliably see the changed DNS entries.

The relevant section from my getssl.cfg file reads:

# Use the following 3 variables if you want to validate via DNS
VALIDATE_VIA_DNS="true"
DNS_ADD_COMMAND="/path/to/DNSHelper add"
DNS_DEL_COMMAND="/path/to/DNSHelper remove"
DNS_WAIT=15
DNS_EXTRA_WAIT=500

And the helper script itself is: (excuse the hacky Python, I
couldn't even be bothered to properly parse the arguments)

You can try different config settings and fiddle with the script as
much as you want while the getssl config points to the staging
server (the default value). Once you get it to work well, change
the config to use the real server and just getssl -a to have all
configured certificates issued. Don't switch too early as the
production server has a (not very severe) rate limit and you could
lock yourself out of certificate generating for a week.

The tools places the certificates in the relevant subdirectories
but you can also configure it to place copies elsewhere (e.g. per
scp to the remote server itself). But once you have the
certificates, the rest is easy. Just remember to regenerate them
(just run getssl -a again) before they expire. If you have
everything set up properly you could make that a cronjob…

Our old family server was getting a bit long in the tooth, had a
few random reboots and was running out of disk space anyway (plus
it had an old 32-bit Atom CPU so that we could not even run Docker
etc.). So in the end I broke down and ordered a new one. After a
bit of searching around on the web I went with QuietPC.com and
picked a much beefier machine this time than what we had before
(back then I was going for size and very low engery consumption but
in the end we paid for it with no upgradability and very slow
speed). The machine arrived recently and looks fine. So far I am
happy but it's too early to say much yet, I'll write up my
experiences in a while.

For a while now I had SSL and Speedy on this site. Having SSL
isn't very hard. StartCom will give you a free certificate for
your server (and also S/Mime email certificates for your email
accounts) if you are willing to navigate and endure their terrible
UI. There is an easy option of letting them create the key and
certificate, but I encourage you do do the proper thing of creating
your own key pair so that you know that only you have the private
key. I found these instructions quite useful.

But setting things up so you don't just have SSL but have good and
secure SSL settings is trickier. I found a good article which
walks you through the steps to set options and ciphers so that the
SSL checker will give you an A rating.

Just a quick note that after a bit more than a year I have again
removed the ads and Google Analytics from this site. I no longer
need to learn about these things and they are not really useful for
a low-traffic site like this anyway, so why bother?

For quite some time I have had a Pebble smart watch now and was
quite happy with it. Certainly, had it died some unexpected death
I would have happily bought a new one. But for this Christmas I
was given a new shiny toy — an LG G Watch (the original, not the
new, round R model):

It looks just as unstylish and nerdy as the Pebble but the
wristband at least is slightly nicer (and also a standard size so
you can replace it easily with something less offensive should you
be bothered). I got the white model (the only other option is the
black model) but that only refers to the wrist band and the back
side of the watch which you don't see; basically it's a black watch
with a white wrist band.

Battery life is better than expected thanks mainly to having had
very low expectations. After a full day (~16h of use) it still has
between around 50% of power, so you get more than 24h of usage but
still have to charge it every day. This is still better than my
phone but sadly that is a very low hurdle to take.

The display is good enough and I find it easier to read than the
Pebble's display where my ageing eyes frequently struggled to read
more than the headline of any message displayed. When you are not
using it the display dims and turns grey scale only (all to save
energy I assume). This works surprisingly well for me. At night
or in the cinema you can also activate a cinema mode where the
screen is completely off when not used.

The interface takes some getting used to — there is a very short
tutorial but usually searching the internet tends to tell you
quickly what you want to know. It all works ok for me. Sometimes
I wish there were buttons for some common actions as the swipe
actions don't always work for me when done casually but this is not
a big problem for me so far.

Initial setup felt more like using a Windows system — the Android
Wear app on my phone crashed right after pairing and the watch
spent the first few minutes downloading updates and rebooting
various times. I walked away during this but it felt like around
10 minutes between powering up and actually being able to do
anything with the thing.

The watch faces that come built-in are a bit boring for my taste
but there are nice ones you can install. (Installing watch faces
and apps means installing them on your phone and then they'll just
automagically show up on the watch.) I am currently using
InstaWeather for Android Wear and am quite happy with that. (Over
Christmas I managed to amuse the family by showing the Santa watch
face that came with Google Santa tracker app).

Besides that I only use the Google Keep app which allows me to tick
off items from my shopping list without taking out and unlocking my
phone and very occasionally the UK Trains for Wear app to check on
train times. To start these apps, the Wear Mini Launcher seems to
be the tool of choice and works reasonably well for me.

The real advantage of the Android Wear over the Pebble is that you
can not only read notifications but also dismiss them on the phone.
Initially I found this irritating but now appreciate it as it
actually reduces the urge to idly click on the notifications once
you take out your phone. One does have to make sure however to not
dismiss things that should be handled soon lest one forgets all
about it.

The whole voice thing has not proven useful for me so far. The
voice commands don't work for me in German (my phone is set to
German and the watch copies these settings) and while searches do
work mostly I find little occasion where actually talking to my
watch is not socially awkward or even annoying to those around me.
My one attempt to impress my friends was a total failure so I left
it at that.

In conclusion I am quite happy with my new watch although the delta
to the Pebble isn't big enough that I'd spend any money to replace
an existing Pebble. So, if you are happy to buy into the Android
world (and risk turning your smart watch into a door stop should
you chose to change phone platform) this might well be a watch for
you (and of course there are prettier Wear devices).